0

i have set up a Debian Server and let i join our domain.

Our company has multiple domain controllers around europe.

I have installed Winbind, Samba, Kerberos5, PAM and Open SSL on this machine. After the domain join i noticed that this machine tires to authenticate to every domain controller in our domain with ldap and kerberos, which causes extremly long wait times before we can log in via ssh.

Is there a way to force Debian to only authenticate with the domain controller on our site?

phL
  • 1
  • 1
  • could you provide some informations about how to join the Debian server to the windows domain? – c4f4t0r May 28 '20 at 11:32
  • You mean like my the configuration i use? I can post this in about 1 hour. The documentation i used for it was from https://www.sysadminblog.at/?p=186 – phL May 28 '20 at 11:49

1 Answers1

0

Do you have the site structure set up correctly? you can check this using 'Active Directory Sites and Services' on any DC.

Make sure you have a site for each location that has one or more DCs and make sure each DC is in the correct site.

Then create subnets for all IP ranges in use and assign each subnet to their site or the closest (=shortest latency) site.

This should force your Debian servers to use the closest DC instead of trying to authenticate to all of them

knurmia
  • 11
  • 3
  • Our network is set up that way but the Debian server still tries to authenticate with every other server. Is there no way to tell winbind or kerberos to only use a specific domaincontroller? – phL Jun 09 '20 at 11:37
  • I can't test this at the moment since I don't have an environment with AD domain joined Linux servers, but I did find an answer right here in [StackExchange](https://serverfault.com/questions/838988/how-do-i-get-samba-to-use-a-specific-domain-controller) – knurmia Jun 09 '20 at 19:30